Privacy-Preserving Biometric Authentication

ABSTRACT

A system for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained. A second transducer has a digital electronic signal output characterizing a biometric of the subject; a second computing facility to receive the digital electronic signal; and an array of servers. These components implement processes including causing generating of shards from the digital electronic signal and distributing of the generated shards to the array of servers; causing storing of the generated shards and performing of a data exchange process using a subset of the generated shards to develop information relating to authentication of the subject; and causing processing of the authentication information in a verification process to indicate whether the subject is authenticated as the individual. A related enrollment system is also provided.

RELATED APPLICATION

This patent application is a continuation of co-pending U.S. patentapplication Ser. No. 17/116,483, filed Dec. 9, 2020, which claims thebenefit of U.S. provisional patent application Ser. No. 63/058,330,filed Jul. 29, 2020, and U.S. provisional patent application Ser. No.62/945,590, filed Dec. 9, 2019. Each of these applications is herebyincorporated herein by reference in its entirety.

TECHNICAL FIELD

The present invention relates to biometric authentication, and moreparticularly to privacy-preserving biometric authentication.

BACKGROUND ART

Biometric-based authentication provides a powerful function in today'sdigital world: It allows people to authenticate themselves securelyusing biometrics without having to remember a complex password or carryaround a hardware token. During enrollment or registration, anindividual's biometric is captured, and the biometric or biometrictemplate is stored. (A biometric template can be created from biometricdata, for example by using algorithms involving feature extraction orusing machine learning or computer vision algorithms.) Then, during asubsequent authentication, a subject's biometric is captured andcompared with or matched against the stored biometric or biometrictemplate. This approach, however, comes with problematic security andprivacy issues. For example, in traditional biometric matching, thesystem must be able to access the template in plain-text in order to runthe matching algorithm—this opens a vulnerability for attackers to stealthe template or breach a database to obtain users' biometric data orother confidential information, similar to how attackers breach passworddatabases. The damages are worse with biometrics, as the users cannotreset them. Fingerprints cannot be reset like passwords. The biometricsare either stored centrally or locally. When the biometrics are storedin one or more centralized databases, the databases are a honey pot forhackers to target. When the biometrics are stored locally, such as ineach user's device like an iPhone, there are additional drawbacksincluding, for example, that if a user loses her device, she can nolonger authenticate because the biometric she enrolled with was storedon her lost device—so there is no stored biometric available to matchagainst.

Today's “multiparty computation” or “MPC” techniques, when applied tobiometrics, still require the biometric template from enrollment to bestored on a server. During authentication, the subject's biometrictemplate on a client is compared with the biometric template on theserver using multiparty computation, wherein the server and clientperform MPC to compute a match score of the two templates. Although thistechnique avoids the parties' exchanging biometric templates (as occursin classical biometric authentication), the approach is not privacypreserving, for example because both the server and client learn thismatch score. Existing approaches that use MPC are too inefficient toscale to millions of users. For example, certain approaches requireexcessive computation (such as on the order of seconds per user perauthentication), while others require excessive communication(sometimes >10 MB exchanged per user per authentication over dozens oreven hundreds of rounds), while others have a weak security model (suchas insecure with one or more actively malicious servers). Many suchapproaches require the server to store the biometric template inplaintext, just as in traditional biometric authentication. One approachshards the data between the client and server, which prevents a singlepoint of failure at the server, but this introduces a requirement tohave the same client device be used in future authentication, becausethe shard or shards stored by the client device are required in futureauthentication. Therefore, this approach shares the limitations oflocally stored biometric authentication, because loss of the clientdevice implies loss of the credential and ability to authenticate.

SUMMARY OF THE EMBODIMENTS

The present application describes a privacy-preserving approach toauthenticate users with significant improvements over the prior art.

In accordance with one embodiment of the invention, there is provided amethod for using biometric data to authenticate a subject as anindividual whose biometric data has been previously obtained using afirst transducer. The method utilizes computer processes that includegenerating shards from a digital electronic signal, provided as anoutput by a second transducer, such signal characterizing a biometric ofthe subject. The computer processes also include causing distribution ofthe generated shards to an array of servers, so that the array ofservers can store the generated shards and perform a data exchangeprocess using a subset of the generated shards to develop informationrelating to authentication of the subject. The computer processesfurther include processing the information developed by the array ofservers to generate an output value indicating whether the subject isauthenticated as the individual.

Optionally, the computer processes are performed by computing entitiesconfigured as information-sharing restricted with respect to a set ofitems of information selected from the group consisting of the outputvalue, the digital electronic signal, the individual's biometric data,the subject's biometric, the generated shards, and combinations thereof.Optionally, the computer processes further include encoding the digitalelectronic signal, so that the generated shards are also encoded.Alternatively or additionally, encoding includes using a neural net.Alternatively or additionally, encoding includes representing thedigital electronic signal as a set of vectors in a metric space.Alternatively or additionally, performing the data exchange process,using the subset of the generated shards to develop information relatingto authentication of the subject, includes computing a set of distancesin the metric space.

Optionally, the data exchange process includes a multiparty computationunder conditions wherein none of the servers in the server array obtainsintermediate values of the multiparty computation. Optionally, aselected group of the array of servers causes generation of new shardsbased on the generated shards. Optionally, a shard is revocable by arevocation process that includes the data exchange process.Alternatively or additionally, upon revocation of the shard, generationof a new shard does not require the individual re-engage with the firsttransducer. Alternatively or additionally, the revocation process isconfigured in a manner without communication between the array ofservers and other computing entities. Alternatively or additionally, therevocation process includes performing the data exchange process using asubset of the subset of generated shards from a subset of the array ofservers. Alternatively or additionally, the data exchange processinvolves communication among a selected group of servers from the arrayof servers. Alternatively or additionally, performing the data exchangeprocess includes separately processing, by each server, its generatedshards of the individual along with its generated shards of the subjectto generate a new set of shards, the new set of shards constituting theoutput value. Alternatively or additionally, the data exchange processincludes causing the array of servers to execute a multipartycomputation algorithm to determine a blinded value, causing the array ofservers to compute a corresponding shard, and to return, to a computingentity, the computed shard along with values for the messageauthentication codes previously computed, causing the computing entityto use the shard data to determine whether the subject is authenticatedas the individual and to evaluate the message authentication codes.

Optionally, receiving and storing by the array of servers the generatedshards includes receiving and storing message authentication codes forthe shards and the data exchange process includes using the messageauthentication codes to confirm that the output value indicating whetherthe subject is authenticated as the individual is itself authentic.Optionally, receiving and storing by the array of servers the generatedshards includes receiving and storing shards of Beaver triplesdistributed across the array of servers with the generated shards.Alternatively or additionally, receiving and storing by the array ofservers the generated shards includes receiving and storing messageauthentication codes for the Beaver triples. Alternatively oradditionally, receiving and storing by the array of servers thegenerated shards includes receiving and storing shards of acorresponding message authentication code key.

Optionally, receiving and storing by the array of servers the generatedshards includes receiving and storing shards of a random value.Optionally, receiving and storing by the array of servers the generatedshards includes receiving and storing shards of a function thatcontributes to an authentication process. Optionally, receiving andstoring by the array of servers the generated shards includes extractinga confident subset of a set of biometric values of the subject in thedigital electronic signal. Optionally, receiving and storing by thearray of servers a set of values to enable efficient subsequentgeneration of shards includes receiving and storing items selected fromthe group consisting of Beaver triples, authentication shares, messageauthentication code shards, random shards, other shards, andcombinations thereof.

In accordance with another embodiment of the invention, there isprovided a system for using biometric data to authenticate a subject asan individual whose biometric data has been previously obtained using afirst transducer coupled to a first computing facility. The systemhaving computing components that include a second transducer having adigital electronic signal output that characterizes a biometric of thesubject. The computing components also include a second computingfacility, coupled to the second transducer, configured to receive fromthe second transducer the digital electronic signal. The computingcomponents further include an array of servers and a third computingfacility. The second computing facility, the array of servers, the thirdcomputing facility, and a computer-readable medium encoded withinstructions, which upon execution by the foregoing computingcomponents, establish computer processes that include causing, by thesecond computing facility, generating of shards from the digitalelectronic signal and distributing of the generated shards to the arrayof servers. The computer processes also include receiving and storing bythe array of servers the generated shards. The computer processesfurther include performing, by a subset of the array of servers, a dataexchange process using a subset of the generated shards to developinformation relating to authentication of the subject. The computerprocesses also include transmitting, by the subset of the array ofservers, to a third computing facility, the information developed,wherein the developed information is configured to cause the thirdcomputing facility to generate an output value indicating whether thesubject is authenticated as the individual.

Optionally, the computer processes are performed under conditionswherein the computing components are configured as information-sharingrestricted with respect to an item of information selected from thegroup consisting of the output value, the digital electronic signal, theindividual's biometric data, the subject's biometric, and the generatedshards. Optionally, the computer processes are performed underconditions wherein the computing components are configured asinformation-sharing restricted with respect to a plurality of items ofinformation selected from the group consisting of the output value, thedigital electronic signal, the individual's biometric data, thesubject's biometric, and the generated shards.

Optionally, causing by the second computing facility further includescausing encoding of the digital electronic signal, so that the generatedshards are also encoded. Alternatively or additionally, causing encodingincludes causing use of a neural net to achieve encoding. Alternativelyor additionally, causing encoding includes causing representation of thedigital electronic signal as a set of vectors in a metric space.Alternatively or additionally, performing the data exchange process,using the subset of the generated shards to develop information relatingto authentication of the subject, includes computing a set of distancesin the metric space. Optionally, the data exchange process includes amultiparty computation wherein none of the servers in the server arrayobtains intermediate values of the multiparty computation. Optionally, aselected group of the array of servers causes generation of new shardsbased on the generated shards.

Optionally, a shard is revocable by a revocation process that includesthe data exchange process. Alternatively or additionally, uponrevocation of the shard, generation of a new shard does not require theindividual re-engage with the first transducer. Alternatively oradditionally, the revocation process does not require communicationbetween the computing facility and the array of servers. Alternativelyor additionally, the revocation process includes performing the dataexchange process using a subset of the subset of generated shards from asubset of the subset of the array of servers. Alternatively oradditionally, the data exchange process involves communication among aselected group of servers from the array of servers. Alternatively oradditionally, performing the data exchange process includes separatelyprocessing, by each server, its generated shards of the individual alongwith its generated shards of the subject to generate a new set ofshards, the new set of shards constituting the output value.

Optionally, receiving and storing by the array of servers the generatedshards includes receiving and storing message authentication codes forthe shards and the data exchange process includes using the messageauthentication codes to confirm that the output value indicating whetherthe subject is authenticated as the individual is itself authentic.Alternatively or additionally, receiving and storing by the array ofservers the generated shards includes receiving and storing shards ofBeaver triples distributed across the array of servers with thegenerated shards. Alternatively or additionally, receiving and storingby the array of servers the generated shards includes receiving andstoring message authentication codes for the Beaver triples.Alternatively or additionally, receiving and storing by the array ofservers the generated shards includes receiving and storing shards of acorresponding message authentication code key.

Optionally, receiving and storing by the array of servers the generatedshards includes receiving and storing shards of a random value.Optionally, receiving and storing by the array of servers the generatedshards includes receiving and storing shards of a function thatcontributes to an authentication process. Alternatively or additionally,receiving and storing by the array of servers the generated shardsincludes extracting a confident subset of a set of biometric values ofthe subject in the digital electronic signal. Alternatively oradditionally, the data exchange process includes causing the array ofservers to execute a multiparty computation algorithm to determine ablinded value, causing the array of servers to compute a correspondingshard, and to return, to the second computing facility, the computedshard along with values for the message authentication codes previouslycomputed, causing the second computing facility to use the shard data todetermine whether the subject is authenticated as the individual and toevaluate the message authentication codes. Alternatively oradditionally, receiving and storing by the array of servers a set ofvalues to enable efficient subsequent generation of shards includesreceiving and storing items selected from the group consisting of Beavertriples, authentication shares, message authentication code shards,random shards, other shards, and combinations thereof.

In accordance with one embodiment of the invention, there is provided asystem for securely enrolling biometric data of an individual forpurposes of later authentication of a subject as the individual. Thesystem has components that include a first transducer having a digitalelectronic signal output that characterizes a biometric of theindividual. The components also include a first computing facility,coupled to the first transducer, configured to receive from the firsttransducer, the digital electronic signal. The components furtherinclude an array of servers and a second computing facility. The firstcomputing facility, the array of servers, the second computing facilityand a computer-readable medium encoded with instructions, which uponexecution by the foregoing computing components, establish computerprocesses that include causing generating of original shards from thedigital electronic signal. The computer processes further includedistributing, across the array of servers, the generated originalshards. The computer processes also include causing the array of serversto store the generated original shards. The generated original shardsbeing stored under conditions wherein the generated original shards arerevocable.

Optionally, the first computing facility, the array of servers, and thesecond computing facility are configured to implement computer processesfurther includes causing generating of new shards based on the originalshards. Alternatively or additionally, generating new shards does notrequire communication between the first computing facility and the arrayof servers. Optionally, in the computer processes implemented by thefirst computing facility, the array of servers, and the second computingfacility, distributing, across the array of servers, the generatedoriginal shards further includes distributing the generated originalshards across the array of servers along with helper informationselected from the group consisting of Beaver triples, function secretshares, and combinations thereof, such helper information beingavailable for use in later authentication of the subject; and causingthe array of servers to store the helper information in association withthe generated original shards.

In accordance with one embodiment of the invention, there is provided asystem for securely enrolling biometric data of an individual forpurposes of later authentication of a subject as the individual, thesystem having computing components that include a first transducerhaving a digital electronic signal output that characterizes a biometricof the individual. The computing components also include a firstcomputing facility, coupled to the first transducer, configured toreceive from the first transducer, the digital electronic signal. Thecomputing components further include an array of servers and a secondcomputing facility. The first computing facility, the array of servers,the second computing facility, and a computer-readable medium encodedwith instructions, which upon execution by the foregoing computingcomponents, establish computer processes that include causing generatingof original shards from the digital electronic signal. The computerprocesses also include distributing, across the array of servers, thegenerated original shards. The computer processes further includecausing the array of servers to store the generated original shards. Thecomputer processes also include causing generating of new shards basedon the original shards.

Optionally, generating new shards does not require communication betweenthe first computing facility and the array of servers.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing features of embodiments will be more readily understood byreference to the following detailed description, taken with reference tothe accompanying drawings, in which:

FIG. 1A is a block diagram of a computer system for performingenrollment and authentication in accordance with an embodiment of thepresent invention.

FIG. 1B is a block diagram illustrating another computer system forperforming enrollment and authentication in accordance with anembodiment of the present invention.

FIGS. 1C and 1D are block diagrams illustrating communication paths forenrollment and authentication respectively in a computer system using nservers in accordance with an embodiment of the present invention.

FIG. 2 is a diagram of logical flow illustrating how encryption ofshards distributed to the servers in the course of enrollment isachieved by the first biometric computer system in accordance oneembodiment of the present invention.

FIG. 3 is a diagram of logical flow in authentication undercircumstances in which the shards have been encrypted in accordance withthe processes described in connection with FIG. 2 .

FIG. 4 is a diagram of logical flow of an enrollment process, inaccordance with an embodiment of the present invention.

FIG. 5 is a diagram of logical flow of an authentication process, inaccordance with a related embodiment of the present invention.

FIG. 6 is a diagram of logical flow of an authentication process, inaccordance with another related embodiment of the present invention.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS

Definitions. As used in this description and the accompanying claims,the following terms shall have the meanings indicated, unless thecontext otherwise requires:

A “set” includes at least one member.

A “subset” includes a set of the entirety.

An “array of servers” is a plurality of servers.

A system of computing components is configured as “information-sharingrestricted” with respect to an item of information when the item ofinformation is being handled by a given component and the givencomponent is prevented from sharing the information with at least oneother component of the system. For purposes of this definition, an arrayof servers is considered a single component.

A “computer process” is the performance of a described function in acomputer system using computer hardware (such as a processor,field-programmable gate array or other electronic combinatorial logic,or similar device), which may be operating under control of software orfirmware or a combination of any of these or operating outside controlof any of the foregoing. All or part of the described function may beperformed by active or passive electronic components, such astransistors or resistors. In using the term “computer process” we do notnecessarily require a schedulable entity, or operation of a computerprogram or a part thereof, although, in some embodiments, a computerprocess may be implemented by such a schedulable entity, or operation ofa computer program or a part thereof. Furthermore, unless the contextotherwise requires, a “process” may be implemented using more than oneprocessor or more than one (single- or multi-processor) computer.

An “individual” is an animate or inanimate object having a uniqueidentity, and may be a human or other organism.

A “subject” is an animate or inanimate object purporting to have theunique identity of a specific individual.

A “biometric” is a measurable characteristic of a distinct individual orof a distinct group of individuals, or a combination of suchcharacteristics, that may be used to determine the unique identity ofthe individual or group. Some non-limiting examples of such measurableorganic characteristics are: an iris pattern, a periocular region of aface, a retinal blood vessel pattern, a fingerprint, a genetic patternor DNA fingerprint, a voice print, a speed or cadence of typing, apattern of blood flow, a brain structure or electrical pattern, abehavioral signal (such as hand movements), expertise-based continuousbiometrics, and a gait of the individual. An example of a measurableinorganic characteristic, when the individual is a distinct siliconwafer having transistors, is a random variation in the transistor gatedelays caused by the process of manufacturing the distinct siliconwafer; such a “silicon biometric” is detectable using a ring oscillator,as is known in the art.

A “biometric value” is a categorization of a portion of a measurement ofa biometric according to a property of the measurement. For example, ifthe biometric is an iris print, and measurement consists of imaging aniris as an array of pixels, then the relevant portion of the measurementis a single pixel in the image, and the relevant property may be abrightness or color of the pixel to be categorized. Measurement of theentire biometric may include many biometric values.

A “confidence value for a biometric value”, or simply “confidencevalue”, is a number indicating a degree of relative confidence that thecorresponding biometric value was correctly categorized.

A “confident subset” of biometric data is a collection of biometricvalues, selected according to their respective confidence values, thatis (a) large enough to uniquely identify an individual within a givenuniverse of identifiable individuals, and (b) small enough to berepeatably obtainable across measurements of the corresponding biometricunder different conditions.

A “transducer” is any device having, as an output, an electronic signalthat encodes a characterization of a biometric as a set of measuredbiometric values. If the output of such a device is not directlydigital, then the term “transducer” includes any device additionallyused to transform the output into digital form.

A “computing facility” means an electronic system having components thatinclude a computing processor and a memory storing instructions that canbe executed by the computing processor. A computing facility may befound, for example, in a desktop computer, a smartphone, a tabletcomputer, a wearable, a smart watch, and similar electronic devices. Acomputing facility also may be found in embedded computing systems thatperform specialized computations, for example point-of-sale machines,automated teller machines (ATMs), physical access barriers, videodisplay kiosks, and similar electronic devices.

A value is “sharded” when it is converted into individual componentsthat, taken alone, reveal nothing about the value but, when combined,reveal the value. For example, x can be arithmetically sharded into[x]₁, [x]₂ as:

[x] ₁ =r mod p

[x] ₂ =x−r mod p

where r is a random integer, and p is a large prime number. One can seethat x=[x]₁+[x]₂, but [x]₁ and [x]₂ are each random (because r israndom). This approach to sharding (namely arithmetic sharding) producesonly one of a number of shard types, including, e.g., Shamirshards—polynomial interpolants, bitwise XOR shards, linear shards,function shares, etc.

A process recited as including “encoding and extracting into shards” maybe carried out in any order, namely, in a first order, wherein theencoding precedes the extracting into shards, or in a second order,wherein the extracting into shards precedes the encoding.

As illustrated herein, a “shard” does not necessarily have to be asecret. Depending on context, the shard might be a secret or might notbe a secret.

1 Transforming Biometric Data

Embodiments of the present invention provide computer systems andmethods for transforming biometric data into a form that protects itsprivacy while permitting its indirect use for purposes includingauthentication. These embodiments are discussed below.

FIG. 1A is a block diagram of a computer system for performingenrollment and authentication in accordance with an embodiment of thepresent invention. FIG. 1A shows an individual (user) 103, a subject(user') 106, and at least two servers 101, 102, that constitute an arrayof servers. The individual 103 uses a mobile phone with software, calleda client 104, (in this case is written in Javascript), which is softwarethat runs on a web browser, and the web browser in turn runs on theindividual's mobile phone. In the embodiment of FIG. 1A, the client 104has access to the camera on the mobile phone to take pictures of theindividual's face. The client 104 interacts with the user 103 and withthe other entities on behalf of the user 103.

The subject (user') 106 uses a different device (client' 107), such as adifferent mobile phone, a laptop, a kiosk, etc. This device also runsclient software.

In the embodiment of FIG. 1A, server 1, shown as item 101, isimplemented in Go, and is deployed using Kubernetes in a Google CloudPlatform (e.g., in central United States). The server 101 has a Postgresdatabase that stores the encoded shards used in the process. In additionto running a set of programs having application programming interfaces(APIs) for communicating with the server 2, shown as item 102, the setof programs running on server 101 also have APIs for communicating withthe client 104. These APIs for communicating with the client 104include, for example, APIs for enrolling, authenticating, and signing.

In the embodiment of FIG. 1A, server 2, shown as item 102, isimplemented in Python, and is deployed in Amazon AWS (e.g., in easternEurope). In this embodiment, the server 102 has a MySql database thatstores the encoded shards used in the process. The server 102 has APIssimilar to those of server 101, except written in Python on the serverside.

In the embodiment of FIG. 1A, a series of processes are implemented, asfollows.

First, an enrollment process is initiated (by the individual 103 or byanother party). In this process, the client 104 requests the individual103 to take a picture of the individual's face, and the individual 103takes such a picture. Liveness detection is used with respect to theimage of the individual's face in the picture.

Next, in the enrollment process, the client 104, using the capturedimage of the individual's face, creates enrollment shards, and sends theenrollment shards to the server 101 and server 102, which store theenrollment shards.

After enrollment, an authentication process is initiated (by the subject106 or by another party). During the authentication process, thesubject's client 107 requests the subject 106 to take a picture of thesubject's face, and the subject 106 takes such a picture.

Next, in the authentication process, the subject's client 107, using thecaptured image of the subject's face, creates authentication shards, andsends the authentication shards to the server 101 and server 102, whichstore the authentication shards.

During a data exchange process of the authentication process, theservers 101 and 102 communicate with each other, with respect to thestored shards, to develop information relating to authentication of thesubject, and each server 101, 102 sends a communication to the subject'sclient 107. The subject's client 107, in receipt of the communications,can then determine if the subject 106 was successfully authenticated asthe individual 103. The subject's client can determine if the subject106 was successfully authenticated without the subject 106 learninginformation about the enrolled individual 103.

The embodiment of FIG. 1A is privacy preserving, for example, becauseneither of the servers 101, 102 knows whether the subject 106 wassuccessfully authenticated as the individual 103; neither of the servers101, 102 nor the subject's client 107 gain access to the individual'sbiometric template (namely, an image of the individual's face); andneither of the servers 101, 102 gains access to the subject's biometrictemplate (namely, an image of the subject's face).

The embodiment of FIG. 1A is also revocable, for example, because theshards stored by the servers 101, 102 are revocable. If a malicioussubject 106 compromises the subject's client 107 and compromises all butone server, this embodiment prevents the malicious subject 106 fromaccessing information related to the individual 103. In the case of suchcompromise, in this embodiment, the credentials of the individual 103(which can include the shards on the servers 101, 102) can be revokedand new credentials can be issued for the individual 103. In someembodiments, the issuing of the new shards can occur without theindividual's involvement. Accordingly, if an external adversary is ableto compromise all but one server, this adversary still learns nothingabout the individual 103, and the credentials of the individual 103 canbe revoked and new credentials issued without involving the individual103.

In one embodiment of FIG. 1A, five sets of shards are generated duringthe enrollment process. Each server 101, 102 receives five sets ofshards. During each authentication process, one of the sets of shards isdestroyed. In this embodiment, when an authentication process issuccessful, a new set of shards is generated and distributed, usingsteps similar to the enrollment process.

This embodiment optionally includes a process to handle the case inwhich one or more servers in the server array goes down or is busy,offline, or otherwise unavailable. An exemplary process may include, forexample, creating redundancy by creating multiple copies of each server.Another exemplary process may include performing sharding usingtechniques, such as Shamir shards, in which only a certain thresholdnumber of shards are required, such as n out of m shards. In such aprocess, authentication is possible even when one or more servers withshards is not involved in the authentication process. In the event thatone or more servers in the server array becomes unavailable, operationsof enrollment and authentication can be carried out using a subset ofservers in the array. Determination of the subset of servers to carryout such operations, can be based on a combination of one or moreconditions including, for example: online status, availability, breachcondition, capacity, location, privilege status, and security group.

The embodiment of FIG. 1A also addresses the concern of catastrophiccredential loss, which can include, for example, a subject losing herpassword or token and an account reset is required. Account resetprocesses can be costly, such as because they involve expensive costcenters, users not completing their transaction, etc. Current accountreset processes are not privacy-preserving, for example because they candefault to having a central database of user information and the use ofknowledge-based authentication (KBA), which can include asking a userquestions about their favorite sports team or car they owned, to reset auser's account. This embodiment addresses catastrophic credential loss,for example because account access does not require remembering apassword or having possession of a token, thereby avoiding thecircumstances of requiring a reset due to a lost password or lost token.

In one embodiment, liveness detection is used to ensure the biometric isbeing taken of a real person. In one embodiment, liveness detectionincludes shining light on the face from different angles, while taking apicture of the face. In another embodiment, a neural net that is trainedto detect the difference between photos of real people and photos ofscreens or photos is used. In one embodiment, an infrared camera is usedin conjunction with an optical camera. In one embodiment, sensors detecta range of conditions, such as breathing, pulse, depth between fingerprint ridges. In one embodiment, the individual must participate in theliveness detection, such as by turning their head, speaking a phrase, orclicking a button. In one embodiment, the liveness indication is part ofthe digital electronic signal. In another embodiment, the livenessindication is contained within the shards.

In some embodiments, revocation processes do not need to include thecreation of new shards. For example, regulations including the GeneralData Protection Regulation (GDPR) include a right to be forgotten or aright for individuals to have their personal data erased. Someembodiment's ability to perform revocation enables the right to beforgotten, even in the case of breach of servers and compromise ofshards.

In some embodiments, revocation processes cause one or more shards to beuseless in future authentication. In one embodiment, if the client andall but one server is compromised, an adversary learns nothing, and thecredentials of the individual can be revoked and a new credentialsissued. In one embodiment, a shard is a credential. In one embodiment,if the shard is revealed (such as by a breach or other compromise), theshard can be revoked and reissued. In one embodiment, a credential is asubset of the shards. In one embodiment, a credential is an encodedversion of the biometric data. In one embodiment, a credential is avector resulting from a neural net. In one embodiment, a credential is abiometric template. In one embodiment, issuing a new credential does notrequire the individual user. In one embodiment, the system of FIG. 1A isconfigured to require the individual user to issue new credentials. Inanother embodiment, the individual user is required to issue replacementshards. In one embodiment, a useless shard is called cancelled.

In one embodiment, the array of servers is five servers that each haveunique shards and one of the servers is compromised. In one embodiment,to revoke the compromised shards, not all five servers have to beinvolved. There are several example ways to revoke the compromisedshards, as follows (non-exhaustive list).

In one example, a subset (e.g., three) of the five servers in the arraycan cause the generation of new shards. The three new shards work inconjunction with the remaining two servers' original shards. Theusefulness, for authentication, of the three original shards from thethree servers in the subset is terminated from the authenticationprocess. For example, if one of the three original shards wascompromised, the compromised shard is made no longer useful indetermining the success of future authentication attempts, and thesecurity posture of the system is returned to that prior to thecompromise of the one server.

In another example, the generation of three new shards by the threeservers in the subset, terminates the usefulness of the remaining twooriginal shards from the other two servers in the five-server array.

In another example, one server in the array deletes its shards, theaction of which terminates the usefulness of all remaining shards heldby the other servers in the array.

In the field of sharding, it is the case that one or more (but notevery) shards being compromised does not compromise the individual'sbiometric. In the prior art, the compromised shards are a persistentsecurity vulnerability. That is, they retain their usefulness to theauthentication process. Thus, the security model becomes weaker withevery shard that is compromised. But in embodiments of the presentinvention, the revocability capability (revoking the compromised shards)enables recovery of the security posture because the usefulness of thecompromised shards may be terminated.

Assume a situation where a biometric has been sharded into 5 shards, andthe compromise of 3 out of 5 shards would compromise the biometric. Inthe prior art, if one shard was compromised, only two more shards wouldneed to be compromised to compromise the biometric. In embodiments ofthe present invention, however, the revocability capability enablesrecovery of the security posture (i.e., that 3 shards must becompromised to compromise the biometric) because the usefulness of thecompromised shard may be terminated. Various embodiments uniquely allowa shard to be compromised without its compromise resulting in persistentcompromising of the security of the system. The revocation capabilitylimits the time frame during which an adversary may attempt to use acompromised shard, thereby reducing the attack surface. Because therevocation process can be performed by the servers without involvementof the client, revocation can be done very efficiently.

FIG. 1B is a block diagram illustrating another computer system forperforming enrollment and authentication in accordance with anembodiment of the present invention. Using the system of FIG. 1B, arelying party 140 authenticates users (individual 133, subject 135). Thesystem of this exemplary embodiment includes:

The relying party (RP) 140, in one embodiment, is an enterprise, such asa pharmacy or bank, that wishes to authenticate its users in aprivacy-preserving way, in compliance with HIPAA, GDPR, and/or otherregulations, and in such a manner that they are not at risk of breachand reputational damage associated when user credentials arecompromised, and in such a manner to offer a seamless user experience,such as in line with the enterprises' passwordless, self-sovereignidentity, digital identity transformation, non-custodial, decentralized,and compliance initiatives. The enterprise has a website, onlinemarketplace, or digital payment gateway. In one embodiment, the websiteis written largely in Javascript and the RP has a MongoDB or otherkey-value store that stores the mapping from a username to the user'spublic key of a public-private signature key pair.

Client software (here written in Javascript) runs on a web browser,which in turn executes on the user's mobile phone. This software hasaccess to the onboard camera to take pictures of the user's face. Aninstance of the software (client 134) interacts with the individual 133,who enrolls in the system, and with the other entities on behalf of theindividual 133. An instance of the software (client 136) interacts withthe subject 135, who purports to be the individual, and with the otherentities on behalf of the subject 135. We sometimes term theindividual's client 134, when it provides a biometric of the individualthat is being enrolled for purposes of later authentication, a first“computing facility.”

Badge service 130 encodes data from the user (individual 133 and subject135). It also handles cryptographic operations with the derivedbiometric root private key. In embodiments, the service 130 is writtenin C++, and self-hosted by Badge. In one embodiment, each client 134,136 performs the functions of the Badge service. In another embodiment,the Badge service 130 is hosted by a server. In another embodiment, eachclient 134, 136 is coupled to the Badge service 130. In anotherembodiment, the Badge service 130 is contained within the client 134,136. Is another embodiment, the Badge service 130 is not containedwithin the client 134, 136. In one embodiment, the client 134, 136 is afront-end user interface and the Badge service 130 is the back-end. Inone embodiment, the Badge service 130 performs the encoding anddistributing of enrollment and authentication related information. Inone embodiment, the client and service 134, 136, 130 are integrated withan existing client such as Windows Hello or Touch ID, and the servers111, 112, 115, 121, 122, 125 are hosted in Azure, AWS, or other cloudplatform.

The system of FIG. 1B includes a cluster of replicas of the serversoftware corresponding to Server 1A 111, Server 1B, . . . . Inembodiments, the server software is implemented in Go, and is deployedusing Kubernetes in Google Cloud Platform and has a shared Postgresdatabase that stores the users' encoded shares, which may be based onthe biometrics and private keys. In addition to running a set ofprograms having APIs for communicating with the other servers, eachserver also runs a set of programs that have APIs for communicating withthe clients. In one embodiment, these APIs include APIs for: enrollingthe individual's secret shares of the encoded biometrics and the rootprivate key, and performing authentication processes including theseshares and secret shares of the subject's encoded biometrics.

The system of FIG. 1B also includes another cluster of replicas ofserver software corresponding to Server 2A 121, Server 2B 122, Inembodiments, this server software is implemented in Python, and isdeployed in Microsoft Azure in Central Europe. The cluster may includereplicas of the Python version of server software, and has a sharedMySql database that stores the users' encoded shares, which may be basedon the biometrics and private keys. It provides APIs similar to those ofthe cluster of servers 1A 111, Server 1B, . . . , except written inPython on the server side.

Gateway 1 115 is a load-balancer (which may be written in Go) thatroutes traffic between different clients and different replicas in a waythat minimizes the maximum load of a replica. In addition, the protocol,used in embodiments for loading balancing, requires the replica ofserver 1A 111 to find the exact replica of server 2A 121 that talks tothe same client 134. The gateway 115 provides functionality to enableserver 1A 111 to connect to the correct replica of server 2A 121. (Inone embodiment, the mapping is dynamic depending on the load balancer.It could be, for example, determine dynamically that server 1A 111 ismapped to server 2G.)

Gateway 2 125 is a load-balancer that implements functionality similarto implemented by gateway 1 115, except written in Python (like cluster2).

In the embodiment in FIG. 1B, a relying party 140 authenticates thesubject user 135 using a series of enrollment processes are implementedas follows:

The individual 133 is asked to register or create an account by theRelying Party 140.

The individual 133 clicks an “enroll” option on the individual's client134, which here functions as the first computing facility. Theindividual's client 134 requests the individual to take a face selfiepicture, and the individual takes such a face selfie picture.

Next, the Badge service 130 and the individual's client 134 establish asecure, encrypted session.

The Badge service 130 securely communicates with the individual's client134 using the secure, encrypted session. The Badge service 130 encodesdata associated with the captured image of the individual's face so asto generate biometric data, which is fed through a deep learning neuralnet that outputs a vector.

The Badge service 130 generates shards using the vector.

The Badge service 130 causing distribution of the generated shards tothe servers 111, 112, 121, 122. Within the secure, encrypted session,the individual's client 134 receives the root private key and derives anECDSA (Elliptic Curve Digital Signature Algorithm) public and privatekey pair that is used for signing. In one embodiment, neither the ECDSApublic or private key need to be stored because they can be re-derivedwhen needed. In one embodiment, the individual's client 134 derivesseparate key pairs for use with different relying parties andapplications. In one embodiment, some key pairs are used for dataencryption. In one embodiment, the individual's client 134 sends theECDSA public key to the Relying Party 140. The Relying Party 140 storesthe public key, or uses a certificate authority or registrationauthority to store the public key in a public key database. In oneembodiment, the Badge service 130 contains the certificate authority,registration authority, and/or public key database. In one embodiment,the Relying party 140 stores the public key and reports success to theindividual's client 134. The individual's client 134 indicatessuccessful enrollment to the individual.

In this embodiment, the shards may include one or more of the items onthe following list of possible constituents. Any item on this list mighthave a plurality of occurrences.

-   -   1. Arithmetic shards of biometric data;    -   2. MAC codes for Arithmetic shards of biometric data;    -   3. Beaver triples;    -   4. MAC codes for Beaver triples;    -   5. Arithmetic shards of a random value (e.g., alpha, r);    -   6. MAC codes for arithmetic shards of the random value;    -   7. Commitments for arithmetic shards of the random value;    -   8. Arithmetic shards of MAC key (call the MAC key ‘D’); and    -   9. Function secret shares of function.

In this embodiment, beaver triples are arithmetic shards of {x, y, x*y}for randomly chosen x and y. In some embodiments, encoding includesencoding the above into the generated shards.

In one embodiment, the MAC code is thought of as being a part of theshare itself. “Authenticated arithmetic share” is the tuple of a shareand its MAC code. For example, for a shard of ‘a’, the corresponding MACcode is a shard of (a*D), where ‘D’ is the MAC key. In this embodiment,the shards may include one or more of:

-   -   1. Authenticated arithmetic shards of biometric data;    -   2. Authenticated Beaver triples;    -   3. Authenticated arithmetic shards of random value alpha;    -   4. Arithmetic shards of MAC key; and    -   5. Function secret shares of a function

In one embodiment, a commitment value can be used to check whether thevalues that have been committed have been modified. For example, thecommitments for shards of r are used to check whether the shards of rhave been modified. In one embodiment, a commitment is a hash.

In one embodiment, authentication of the subject includes receiving andstoring, by the second computing facility, one or more of:

-   -   Arithmetic shards of random value r,    -   MAC codes for arithmetic shards of r, and    -   Commitments for arithmetic shards of r.

In one embodiment, the shards of r are received from the array ofservers. A further embodiment includes:

-   -   confirming, by the second computing facility, using the        commitments for arithmetic shards of r, that none of the array        of servers was actively malicious, or otherwise compromised such        that the shards of r have been modified; and    -   generating, by the second computing facility, r from the shards        of r.

In one embodiment, authentication includes:

-   -   generating, by the second computing facility, blinded shards        from the digital electronic signal of the subject and the shards        of r; and    -   broadcasting, by the second computing facility, the blinded        shards to the array of servers.

In another embodiment, authentication includes: causing the array ofservers to be in possession of shards of the digital electronic signalof the subject.

In one embodiment, authentication includes: generating, by the array ofservers, shards of the digital electronic signal of the subject andassociated MAC, using the blinded shards and the shards of r.

In one embodiment, the above processes reveal to the array of servers,by use of the MAC codes of the shards, whether any of the array ofservers was actively malicious, for example, if it modified any shards.In a further embodiment, if it is detected that a server is activelymalicious, a security process or breach of contract legal process isperformed. For example, if a third party's servers were compromisedresulting in modification of shards, appropriate processes and legal orindemnification actions for the dispute may be initiated.

Alternatively or additionally, in another embodiment, authenticationincludes:

-   -   receiving, by the second computing facility, data exchange        information, from the array of servers; and    -   confirming, by the second computing facility, using the data        exchange information, that the subset of the array of servers        were not malicious.

In a further embodiment, if a server is found to be malicious, asecurity process is performed.

Alternatively or additionally, in another embodiment, authenticationincludes:

-   -   generating and distributing additional values, such as        commitments or hashes of the shards of the digital electronic        signal of the subject; and    -   receiving and storing by the array of servers the generated        shards and additional values.

In one embodiment, the above processes reveal to the array of servers,by use of the MAC codes of the shards, whether any of the array ofservers was actively malicious.

In one embodiment of the system wherein a relying party 140authenticates a subject 135 purporting to be the user 133,authentication processes are implemented as follows:

The subject 135 tries to login to the relying party's application,requesting the login on the subject's client 136, in this case acting asa second computing facility for purposes of authentication.

The subject's client 136 (e.g., running on the subject's device) sendsthe request for user authentication to the relying party 140, which isusing what we call a third computing facility.

The relying party 140 returns a challenge to the subject's client 136,which includes a request to sign a message with the ECDSA private key.

The subject's client 136 requests a face selfie of the subject 135.

The subject 135 takes such a selfie of her face.

The subject's client 136 and Badge service 130 establish a secure,encrypted communications channel.

The Badge service 130 encodes and generates shards.

The Badge service 130 distributes a subset of shards to the plurality ofservers 111, 112, 121, 122.

A subset of servers 111, 112, 121, 122 perform a data exchange process.

A subset of the subset of array of servers 111, 112, 121, 122 sendinformation to the Badge service 130.

The Badge service 130 uses the information to re-derive the root privatekey.

The Badge service 130 communicates with the subject's client 136 on thesecure, encrypted channel in a manner to enable the subject's client 136to re-derive the ECDSA private key.

The subject's client 136 signs a message with the ECDSA private key.

The subject's client 136 transmits the signed message to the relyingparty 140.

The relying party 140 verifies the signature using the ECDSA public key(which was previously stored for access by the relying party 140).

If the signature is valid, the relying party 140 successfullyauthenticates the subject 135 as the individual 133. In one embodiment,the relying party 140 grants access to the subject's client 136 toaccess an application.

The result of the authentication is reported to the subject 135.

The subject 135, once authenticated as the individual 133, accesses therelying party's application. In one embodiment, the subject 135 viewsher account balance. In another embodiment, the subject 135 views theresults of her medical tests. In another embodiment, the subject 135unencrypts messages, a payment wallet, or other data. In anotherembodiment, the subject 135 signs a document or other data using adigital signature. In one embodiment, the subject 135 signs atransaction e.g., to be accepted and recorded by a distributed ledger,block chain, or transaction processing stack.

In some embodiments, the output value is a key if the subject isauthenticated as the individual, and the output value is all zeros ifthe subject is not authenticated as the individual. In one suchembodiment, the third computing facility uses the output value/key toderive an ECDSA private key. Further, the third computing facilityperforms signature-based authentication using the ECDSA private key toauthenticate to a fourth computing facility. In such an embodiment, thethird computing facility receives a token enabling access to anapplication from the fourth computing facility. In another embodiment,encoding includes processing biometric data for generation of abiometric template. In one embodiment, the deep learning neural net isprovided by another entity, such as a biometrics vendor. In anotherembodiment, the biometric data is processed using a feature extractionand/or alignment algorithm that outputs a biometric template. In anotherembodiment, face biometric data is fed through a face-trained neural netthat outputs a first vector, and voice biometric data is fed through avoice-trained neural net that outputs a second vector, and the twovectors are combined e.g., using a tensor product, for generation of abiometric template.

Some embodiments of the present invention can uniquely leverage multiplebiometric inputs. For example, if each biometric input is fed through amachine-learning model and has an output in metric space, theseembodiments can generate shards from these biometric input. Inembodiments, the Badge service 130 uses machine learning to generatevectors and then uses the generated vectors as inputs of theauthentication process. The use of machine learning applies to multiplebiometric and non-biometric inputs, and also applies to multiplevectors. In one embodiment, these techniques are leveraged duringgenerating shards from the digital electronic signal.

In one embodiment, the digital electronic signal is a video thatincludes facial images and a voice of a person. The facial image will gothrough its own neural net and the voice will go through its own neuralnet. Each neural net will produce a vector at the time of enrollment(namely, what we call an “enrollment vector”) and, again, at the time ofauthentication (what we call an “authentication vector”), such as a facevector and a voice vector. These two vectors are merged (with or withoutadditional information) to create an input vector. For example, the facevector and voice vector may be combined with a pin code, to create amerged vector. As a further example, the additional information mayinclude a set of metadata that indicates what type of biometric inputthe vector is derived from. In one embodiment, the computing facilitytakes the input vector and uses it to generate shards. In this way,shards can be generated based on vectors of multiple biometrics. In analternative embodiment, there are two digital electronic signals, onefor face and one for voice. In one embodiment, generating includesobtaining an output in metric space that was created using a neural netwhose input includes a component of the digital electronic signal. Theoutput in metric space can include a vector. The biometric data can berepresented as one or more vectors in a metric space. In one embodiment,the vectors are generated using a neural net or deep learning model. Inaccordance with various embodiments of the present invention, processes,configured to preserve privacy of biometric data, for authenticationinvolve the calculation of distances (between authentication andenrollment vectors) in metric space and comparing the calculateddistances against a threshold.

The above described neural nets may have a given performance in terms ofFalse Accept Rate (FAR) and False Reject Rate (FRR). Some embodiments ofthe present invention provide a way to perform privacy preservingauthentication without degrading the FAR and FRR performance at a giventhreshold.

In this way, these embodiments provide a uniform approach to usingarbitrary modalities of biometrics—the above deep learning approach canbe used with face authentication, voice authentication, behavioralauthentication, etc., as well as with more traditional biometricmodalities such as fingerprint, iris, retina, palm, etc. Thearchitecture in some embodiments enables uniform support of biometricmodalities that have not yet been invented. Such architecture alsoenables uniform support of the above in combination with factors suchpins, tokens, patterns, passwords, etc.

In various patterns of authentication described in this application:

-   -   an individual can use one or more modalities (such as face,        voice, fingerprint, periocular face, pin, password, SSID, token,        etc.) to enroll;    -   and then can authenticate with a subset of these modalities;    -   and can enroll additional modalities over time;    -   and (as explained in the following paragraphs) some of these        modalities can be compromised without compromising the system.

For example, the fingerprint biometric might be compromised—in an eventunrelated to the technology described herein—when fingerprint templatesstored in a database elsewhere are compromised, but this compromise ofconventional technology does not result in compromising a system inaccordance with an embodiment of the present invention. In anotherexample, if an underlying private key is compromised, this compromisedkey can be revoked in accordance with embodiments of the presentinvention. As another example, when it is determined that a passwordshould not be used anymore, the password can be eliminated as a validmodality for authentication. In some embodiments, this determination ismade by the user, and in other embodiments the determination may be madeby an organization such as a bank or government agency, or automaticallywhen a set of conditions has been established to justify thedetermination.

In some embodiments, the nature of a proposed use of information governsselection of a tier of security risk associated with such use andconsequently the authentication factors required to implement such use.For example, herein, under one scenario only the individual's face isrequired to log in to see the individual's bank balance, but then, inanother scenario, to perform a transaction, which involves a higher tierof security risk, the individual would be required to pass requirementsof face recognition as well as voice recognition. In yet anotherscenario, for example, involving a change of an individual's address, inaddition to biometric requirements, there may be imposed a requirementfor providing a secret, such as a user's PIN. Other examples include anorganization choosing which input factors or combinations are required,for example based on user convenience relative to the application ortransaction for which the user desires access, or, in another example,based on a security policy.

In some embodiments, for each factor or modality that the individualenrolls with, one or more separate minor keys are derived. A subset ofthe set of minor keys may be sufficient to authenticate the subject asthe individual. Upon enrollment, a major key may be generated that isrelated to the minor keys. The major key may be derived from the minorkeys. In some embodiments, all minor keys are required to re-derive themajor key. In some embodiments, the major key operates like a masterkey.

In some embodiments, the compromise of a minor key does not compromiseany other keys. Minor keys can be revoked. In some embodiments, themajor key can be updated to no longer be related to a revoked minor key.For example, the major key can be updated to no longer contain a revokedminor key.

In some embodiments, minor keys and major keys may be ECDSA or RSA keysand may be used in standard cryptographic operations, such as signingand encryption. In one embodiment, the major key is an ECDSA key thatencompasses the minor keys. In one embodiment, a Diffie Helman processis used to combine minor keys to generate a major key. In someembodiments, generating a key includes generating a secret and derivinga private/public key pair from it, such as an ECDSA key pair and othersas known in public key infrastructure.

In one embodiment, the set of minor keys that are re-derived duringauthentication are a subset of the major key, and if this subset isdetermined to be sufficient for authentication, the server accepts theset membership proof. In one embodiment, the determination of what issufficient is made at the time of enrollment. In one embodiment, thethreshold of what subset is determined to be sufficient can bedynamically set by an organization (e.g., it does not have to remainstatic from the time of enrollment). Further, the threshold may be aslow as a single partial modality or as high as all modalities, dependingon an organization's preferences, such as for user settings andsecurity.

In some embodiments, there are one or more minor keys for each factor ormodality. For example, for a given user, there could be a minor key foreach partial fingerprint on each finger of each hand. In anotherexample, all ten fingerprints and two palms of a user have one minorkey. In another example, for a given user, there are separate minor keysfor each type of face scan, such as visual, infrared (IR), threedimensional (3-D), etc. In one example, there is a separate minor keyfor a user's face scan in each of several separate conditions, such aslow light, wearing glasses, wearing a facemask, with a head covering,outdoors, on a phone, using a wearable camera, with a beard, etc.

In certain embodiments implementing minor and major keys, duringauthentication, one of the minor keys is generated. In some of theseembodiments, it can be shown that the minor key is associated with theuser's major key as follows:

-   -   x and y are minor secret keys; and    -   if major secret key is x*y, with public key g{circumflex over        ( )}{x*y}, a minor key x with associated public key g{circumflex        over ( )}x can be verified to be a part of the major secret key        using g{circumflex over ( )}y to compute g{circumflex over        ( )}{x*y} and verifying equality with the major public key.        This allows demonstrating that derived key is a member of the        keys the individual enrolled with—even if the subject does not        use all modalities during authentication. In some embodiments,        this also allows for specific key revocation: if x is        compromised, then all minor keys that include x can be revoked.        In these embodiments, compromise or revocation of x does not        reveal information about other keys (e.g., y) and does not        impact the functionality of other keys.

In some embodiments, the minor keys may be extracted individually fromtheir respective modalities, and these keys may be combinedincrementally. For example, the face minor key and the PIN minor key maybe extracted. These two keys could be used, for example, for a loginauthentication process. Then, to perform a step-up-authenticationprocess, a service could request that the voice key also be extracted.In this embodiment, the voice key can be extracted and combined with thepreviously extracted face and PIN keys to obtain a key used for thestep-up-authentication process.

The causing distribution of shards in the embodiment of FIG. 1B is basedon a combination of one or more conditions including: online status,availability, breach condition, capacity, location, privilege status,decentralization, load balancing, history, performance, a schedulingalgorithm, or security group. For example, if multiple servers 111, 112in a cluster have been compromised, other servers in that cluster maynot receive the distributions. For example, the gateway 115 or gateway125 could pick which servers in the cluster to use to achieve loadbalancing. For example, the Badge service 130 or the client 134, 136could indicate a preference for which servers receive the distribution.For example, multiple servers may receive one or more shards thatanother server also receives. In another example, no server receives thesame shard that another server receives.

Such “causing distribution” does not by itself require a particularpattern of distribution, and a range of patterns of distribution can beemployed depending on context of the relevant computer processes. Underone pattern of distribution all servers get the same information, andthat information may or may not be public. Under one further scenario,the information might be “blinded,” as that term has been used herein.In another pattern, for example, different servers get differentinformation, which may be overlapping, or not, and which, generally isnot public information. A variety of methods of distribution may beemployed. In one scenario, for example, the distribution method mayinvolve providing further information to a server to allow it tointerpret information previously delivered to it.

In one embodiment, within a secure encrypted session between the client134, 136 and the Badge service 130, the client 134, 136 receives theroot private key and derives an RSA public and private key pair that isused for signing. In another embodiment, the Badge service 130 derivesthe key pairs and posts the public keys to a public key directory, whichin some embodiments is accessed by certain relying parties andapplications. In one embodiment, neither the RSA public or private keyneed to be stored because they can be re-derived when needed. In oneembodiment, the client 134, 136 derives separate key pairs for use withdifferent relying parties and applications. In one embodiment, some keypairs are used for data encryption. In this way, the human is the rootof trust (instead of a hardware or physical root of trust, or a softwareroot of trust, that could be lost or compromised). The human root oftrust can, on-demand, re-derive key pairs to authenticate to, sign,encrypt, or provide other functions with relying parties, services, andapplications.

In some embodiments, the system of FIG. 1B includes more than two serverclusters. In this embodiment, the system architecture in FIG. 1B ischanged such that the Badge service 130 is connected to the additionalserver clusters. In one embodiment, the servers or server clusters havea point-to-point connection with every other server or cluster. In oneembodiment, the servers will have a series of broadcasts amongthemselves to carry out a MPC protocol.

In embodiments, the system communicates that the subject isauthenticated to the relying party (sometimes herein “RP”) in varyingmanners. In one embodiment, the relying party communicates with theindividual's client at enrollment (as depicted in FIG. 1B). To do so,the client (after enrolling) sends some information to the relying partythat links the Badge account to the relying party's account. Forexample, this can be achieved using the standard OAuth protocol. Inanother embodiment, the relying party communicates with the Badgeservice acting as a certificate authority (CA) that registers its rootcertificate with the relying party. The Badge service can then sendsigned messages that the client is authenticated that can be verified bythe relying party. In yet another embodiment, the relying party has nocommunications except with a secondary client. In this case, athird-party CA (e.g., COMODO) issues the Badge service a certificate,which it uses to sign authentication messages. The relying partyverifies these signed authentication messages using a protocol, e.g.,standard Transport Layer Security (TLS).

1.1 Data Encoding

In some embodiments, user U has a biometric template T that can berepresented by a set of features and that there exists a subset ofpoints P⊆T that corresponds to the entropy of the template. In oneembodiment, each feature is an element of the same universe, and theuniverse must be finite and have a total ordering. In some embodiments,this total ordering must be known to both U and U^(I), and may beconstant or vary depending on one or more authentication factors, whichcould include, for example, a pin, password, characteristic of an earcanal, biometric data. To state the conditions of these embodimentsdifferently, there exists a subset of points that represents therandomness of the biometric data. Let us call the subset of points P,the entropic points. In one embodiment, an encoding algorithm is used toencode T to an encoded template E_(T) and an algorithm ƒ that performsauthentication given the encoded template E_(T) and the entropic pointsP^(I) of a second template T^(I) where T^(I) is generated by user U^(I).That is, ƒ(E_(T), P^(I))=1 if the user U^(I) is the same as U, and ƒ(E_(T), P^(I))=0 otherwise. Note that this means the function issymmetric, in that ƒ (E_(T)I, P)=1 if and only if U is same as U^(I) aswell.

An example of such a biometric template and encoding scheme isrepresenting a two-dimensional face or fingerprint template as a list of(x, y) coordinates of the features associated with the template. Theencoding and the entropic points are precisely the list of (x, y)coordinates, and the corresponding ƒ would check if each of a largefraction of entropic points of the second template has a correspondingpoint in the first template that is within a small Euclidean distance.The choices of encoding and ƒ can be made such that they improveperformance.

1.2 Communications for Enrollment and Authentication

In some embodiments, enrollment (also referred to as registration) iscarried out between an honest individual and a plurality of servers. Thepurpose of enrollment is to enable the individual to authenticateherself at a later point. After enrollment of the individual,authentication is carried out between a subject, who may or may not bethe same as the enrolled individual, and the plurality of servers.

FIGS. 1C and 1D are block diagrams illustrating communication paths forenrollment and authentication respectively in a computer system using nservers in accordance with an embodiment of the present invention. Inenrollment in FIG. 1C, individual, User (U) 18, enrolls with the systemby sending her sharded data to each server 11, 12, . . . , 15. Inauthentication in FIG. 1D, subject, User' (U^(t)) 19, attempts toauthenticate herself as the User (U) 18 by communicating with theservers 11, 12, . . . , 15. In the embodiment of FIGS. 1C and 1D, theservers 11, 12, . . . , 15 must also communicate with each other.

In one embodiment, we assume that at least one of the servers 11, 12, .. . , 15 is honest, meaning that it will follow the protocol forauthentication in this embodiment correctly, and it will not reveal anyof its private values. If at least one server is honest, the followinggoals can be achieved:

Correctness. If the subject is the individual and the servers and thesubject follow the protocol without deviating from the protocol, thenthe servers are convinced that the subject is the individual.

Soundness. If the subject is not the individual and at least one serveris honest, then the honest server will not be convinced that the subjectis the individual, and authentication will not succeed.

Zero-knowledge. For example, if at least one server is honest, then noserver should learn the biometric data of the individual or subject.Furthermore, even if the subject is malicious in this scenario, neitherthe subject nor any server will learn anything about the biometrictemplate of the individual during the authentication protocol.

Zero-knowledge is related to privacy preservation. In some embodiments,even if all but one of the servers is actively malicious:

-   -   the output value is not revealed to the computing facility or        the plurality of servers;    -   neither the individual's biometric data nor the subject's        biometric data (nor the digital electronic signal that        characterizes a biometric of the subject) is revealed to the        servers; and    -   the servers do not obtain intermediate values of the multiparty        computation.

2.3 Brief Background of MPC

There are many different forms of multiparty computation (MPC),including methods that perform computation on “sharded” values. A“sharded” value is a value x that is shared across two or more servers.The shards alone reveal nothing about x, but only reveal x whencombined. For example, x can be arithmetically sharded into [x]₁, [x]₂as:

[x] ₁ =r mod p

[x] ₂ =x−r mod p

where r is a random integer, and p is a large prime number. One can seethat x=[x]₁+[x]₂, but [x]₁ and [x]₂ are each random (because r israndom).

We describe here method of sharding data (arithmetic sharding). Thereare also multiple other methods of sharding data. A process to shardsecrets (including e.g., Shamir shards—polynomial interpolants, bitwiseXOR shards, linear sharding, etc.) may be used as well.

MPC allows us to perform complex operations on these sharded valuesincluding addition, multiplication, and integer comparison. Theseoperations occur entirely on sharded values to generate shards of theresult of the computation. The servers then reveal these output shardsto learn the result of the computation together. In this way, the set ofservers learns only the output of the computation and not the input orany intermediate values.

While MPC is general and powerful, it is also expensive and thereforeimpractical for many applications. For example, in the above shardedprotocol, certain operations are more expensive than others.Specifically, each multiplication and comparison operation is expensive.The operations typically require a separate offline “setup” phaseinvolving large amounts of computation and communication.

This setup phase is so expensive (both in terms of computation andcommunication) that it renders most MPC impractical for mostapplications. Even the online phase (occurring after the setup phase)can be impractical, as each multiplication and comparison operationrequires information to be exchanged among all of the participatingservers. This process can be costly in terms of time (on the order of200 ms-500 ms), owing to network latency among other factors.

Finally, many approaches that deal with these shortcomings sacrificesecurity. That is, many protocols protect only the user's data if allservers obey the protocol honestly. This security model is in generaltoo weak for practical applications.

The sharding described above shards a value. Function secret shares area mechanism to shard a function instead of a value. Functionally, theywork in a similar fashion to the sharding described above. The keydifference is that instead of sharding a value (x) and jointly computinga known, shared function (f), you are sharding a function (f) andcomputing on a known, shared value (x).

2.0 Secure Subset Selection

In accordance with embodiments of the present invention, we develop anduse a sharded subset protocol. A sharded subset protocol includes twophases: setup (corresponding to what we have sometimes called“enrollment”) and select (corresponding to at least part of what we havesometimes called “authentication”). The setup phase is carried outbetween servers S_(i), at least one of which is honest, and a trustedthird party U. The select phase is carried out between the same servers,and another third party U^(I) who may or may not be trusted. The highlevel goal of a sharded subset is to allow the trusted party U duringthe setup phase to “commit” some messages M={msg_(i)}_(i=1) ^(n) to theservers. At a later point, in authentication, the protocol should allowU^(I) to select a subset of the messages of a fixed size ƒ withoutlearning the content of the messages, and a given server S_(a) shouldthen learn the content of the subset {msg_(j): j∈Φ∧Φ⊂[n]∧|Φ|=f} withoutlearning the indices of the chosen messages Φ. That is, at the end ofthe protocol, one of the servers will have access to a subset of theplaintext messages U committed, but which particular messages werechosen to form this subset remains hidden. For sake of formallyspecifying the protocol, let M′={msg′_(j)} be the set of messages thegiven server S_(a) possesses at the end of the protocol, and that S_(a)outputs 1 if M′⊂M, or it aborts otherwise. As described herein, inconnection with authentication more generally, there are three goals fora sharded subset, correctness, soundness, and zero knowledge.

Correctness: If all participants are honest, then the protocol will notabort and the given server S_(a) outputs 1 with probability 1. Moreover,if S_(a) and U^(I) are both honest and the protocol does not abort, thenM^(I) is exactly chosen using 1.

Soundness: If S_(a) is honest and if M′⊂/M, then the protocol abortswith overwhelming probability, regardless of how the other servers andU^(I) cheat.

Zero-knowledge: No server should learn anything about 0 as long as oneserver remains honest. Moreover, {S_(i)}_(i≠a) and U^(I) should learnnothing about the underlying plaintext messages, as long as the givenserver S_(a) is honest.

3.0 Enrollment and Authentication Protocols

We now describe how individual U may store its biometric template on theservers securely, and subject U^(I) can authenticate itself at a laterpoint. Portions of this description expand on concepts disclosed in PCTpublication WO 2017/083732, filed on Nov. 11, 2016, which is herebyincorporated herein by reference in its entirety.

FIG. 4 is a diagram of logical flow of an enrollment process, inaccordance with an embodiment of the present invention. Duringenrollment, in process 41, a first biometric computer system causesgeneration of biometric data for an individual U, and, in process 42,encodes and extracts into shards the generated biometric data. (Theencoded biometric data corresponds to template E_(T), which is compliantwith section 1.1.) The encoded biometric data appears in n shards, wheren is the number of servers. In process 43, the first biometric computersystem distributes the n shards across the n servers. In a furtherrelated embodiment, additional (optional) processes are carried out bythe first biometric computer system. In particular, in process 44, thefirst biometric computer system executes an offline phase of the MPCprotocol that later is used in authentication. In process 45, the firstbiometric computer system then sends, to each server, a customizedoutput that has been computed for use in the MPC. (It will be recalled,from section 1.1, that, for authentication, the MPC uses the algorithmthat corresponds to f.)

FIG. 6 is a diagram of logical flow of an authentication process, inaccordance with another related embodiment of the present invention.During authentication, in process 61, a second biometric computer systemgenerates biometric data of the subject. Then, in process 62, the secondbiometric computer system encodes and extracts into shards the biometricdata of the subject. The biometric data thus encoded constitute theentropic points P^(I) (first mentioned in section 1.1 above). In process63, the second biometric computer distributes the n shards across the nservers. In process 64, each of the servers recalls from memory the MPCparameters that were precomputed from U in the offline phase (processes44 and 45 in FIG. 4 ) of MPC. In process 65, the servers compute ƒ(E_(T), P^(I)) without learning anything about E_(T) and P^(I). In oneembodiment, function ‘f’ is a biometric match function. In oneembodiment, this computation results in shards of an output value O. Inone embodiment, the shards of O are returned to the subject, who thenreconstructs these shards to recover O. In one embodiment, if the finaloutput O is 1, then the subject is authenticated as the individual.Otherwise, the subject is not authenticated as the individual.

In another embodiment, the servers may recover O without returning anyshards to the user. In one embodiment, if the final output O is 1, thenthe subject is authenticated as the individual. Otherwise, the subjectis not authenticated as the individual.

In another embodiment, O may be chosen arbitrarily at enrollment to beany value. In one embodiment, O may be chosen to be a secret key (orshard of a secret key, if more than one factor is being used).

In another embodiment, the second biometric computer causes the serversto compute a MAC code for the shards of the subject. These MAC codes areused over the course of determining the servers computing ƒ(E_(T),P^(I)). MAC codes are returned along with the shards of O. The subjectthen checks this MAC code prior to reconstructing O to determine whetherthe servers computed ƒ (E_(T), P^(I)) correctly and did not learnanything about P^(I).

In another embodiment, the servers use protocols including SPDZ and/orfunction secret shares to compute ƒ (E_(T), P^(I)).

In another embodiment, a second biometric computer causes biometric dataof a subject purporting to be the individual to be generated and shardsthe biometric data of the subject and distributing, across the pluralityof servers, the shards of the subject. The distribution of the shardscauses the servers to compute a MAC code for the shards of the subjectand each of the servers to execute a multiparty computation algorithm todetermine a blinded value match score for the sharded biometric data ofthe subject in relation to the corresponding sharded data of theindividual. Each of the servers use the blinded match score to compute acorresponding function share, and to return, to the second biometriccomputer, the computed function share along with values for the MACcodes previously computed. The second biometric computer uses thefunction share data to determine whether there has been a determinationof a match and to evaluate the MAC codes to confirm the authenticity ofthe function share data.

In process 66, each of the servers is programmed to accept or rejectindividually. In one embodiment, the programming is done in such amanner that a server does not learn whether it accepted or rejected. Inaddition, it does not learn whether any of the other servers accepted orrejected. In one embodiment, it is not possible to determine from agiven server's shard of the output value whether the output valueindicates that the subject is authenticated as the individual or not.”An authentication process 68 is successful if and only if a sufficientlylarge subset of servers accept in process 66.

The following are two examples where, in some embodiments, not allservers accept in process 66.

In a first example not all the servers accept based on redundancy. Inone embodiment, more than one server received the same shards duringenrollment/authentication. In that case, more than one server willproduce the same output shard. In one embodiment, authenticationrequires only one instance of each output shard. If two servers whoreceived the same shards produce different output shards (for examplebecause one server is malicious or malfunctioned), and a subset of theoutput shards result in successful authentication, then the subject issuccessfully authenticated as the individual. In one embodiment, if itis possible to recover an output that confirms authentication, then thesubject is successfully authenticated as the individual.

Alternatively, in another embodiment: Server 1 received enrollment shard1 and authentication shard 1. Server 2 received enrollment shard 1 andauthentication shard 2. Server 3 received enrollment shard 2 andauthentication shard 1. Server 4 received enrollment shard 2 andauthentication shard 2. It is possible to authenticate using onlyservers 1 and 4. Or it is possible to authenticate using only servers 2and 3. If either servers 1 and 4 or servers 2 and 3 confirmauthentication, the subject is authenticated as the individual.)

In a second example, certain methods of sharding, such as Shamirsharding, result in a situation where only a certain number of shardsare needed to recreate the secret (in this case the secret is the outputvalue)—n out of m shards is sufficient.

The exemplary methods described in examples 1 and 2 above may beselected for reasons including that sometimes servers go down, becomeunavailable, malfunction, go offline, or servers can be malicious.

In one embodiment, every server coupled to a given gateway receives thesame shards. In such embodiment, during a given authentication attempt,each gateway selects one server coupled to it to participate in the dataexchange process (such that one server from each gateway isparticipating). In the event of a failed authentication, authenticationmay be retried, either depending on certain conditions or automatically.During this retry, each gateway may choose (such as based on an internalscheduling or load balancing algorithm) to assign a different serverthan was used in the prior attempt. In this way, the array of serversparticipating in the first authentication attempt may be a differentsubset of servers than participating in the second authenticationattempt. This mitigates the potential for single points of failure inthe array of servers or the subset of servers.

Now we describe another embodiment in connection with FIG. 4 . FIG. 4 isa diagram of logical flow of an enrollment process, in accordance withan embodiment of the present invention. During enrollment, in process41, a first biometric computer system causes generation of biometricdata for an individual U, and, in process 42, encodes and extracts intoshards the generated biometric data. (The encoded biometric datacorresponds to template E_(T), which is compliant with § 1.1.) Theencoded biometric data appears in n shards, where n is the number ofservers. In process 43, the first biometric computer system distributesthe n shards across the n servers. In a further related embodiment,additional (optional) processes are carried out by the first biometriccomputer system. In particular, in process 44, the first biometriccomputer system executes an offline phase of the MPC protocol that lateris used in authentication. In process 45, the first biometric computersystem then sends, to each server, a customized output that has beencomputed for use in the MPC. (It will be recalled, from section 1.1,that, for authentication, the MPC uses the algorithm that corresponds toƒ.)

In some embodiments of the present invention, the shards distributed tothe servers in the course of enrollment (as just described in connectionwith FIG. 4 ) are encrypted. FIG. 2 is a diagram of logical flowillustrating how such encryption is achieved by the first biometriccomputer system in accordance one embodiment of the present invention.In process 21, the first biometric computer acquires the encryption keyof server a. In process 22, the first biometric computer system shardseach message into n−1 shards, for each server other than server a. Inprocess 23, the first biometric computer system encrypts the shards foreach server i (other than server a) using the encryption key of server i(which the first biometric computer obtains from server i). There arenow n−1 encrypted shards. Next, in process 24, the first biometriccomputer system generates a random symmetric key k. In process 25, thefirst biometric computer system further encrypts the n−1 encryptedshards using the symmetric key k. In process 26, the first biometriccomputer system sends each server i of the n−1 servers its correspondingdoubly encrypted shard. (Remember that each shard for server i isinitially encrypted with a key obtained from server i.) In process 27,the key k is itself sharded into n shards, and, in process 28, the firstbiometric computer system sends each server a shard of key k.

FIG. 3 is a diagram of logical flow in authentication undercircumstances in which the shards have been encrypted in accordance withthe processes just described in connection with FIG. 2 . In process 31,the second biometric computer system downloads, from the servers, thedoubly encrypted shards and the shards of k that were distributed by thefirst biometric computer system in processes 26 and 28 of FIG. 2 . Inprocess 32, the second biometric computer system reconstructs k. Inprocess 33, the second biometric computer system uses the reconstructedk to decrypt one layer of the shards. However the shards at each serveri (other than server a) remain encrypted by the encryption key of serveri. In process 34, the second biometric computer system selects a subsetof these encrypted shards and, in process 35, sends the subset to servera for decryption so as to recover from server a the encoding ofbiometric U^(I) and cause evaluating by server a the existence of amatch.

FIG. 5 is a diagram of logical flow of an authentication process, inaccordance with a related embodiment of the present invention. Duringauthentication, in process 51, a second biometric computer systemgenerates biometric data of user U^(I). Then, in process 52, the secondbiometric computer system encodes and extracts into shards the biometricdata of user V. The biometric data thus encoded constitute the entropicpoints P^(I) (first mentioned in section 1.1 above). In process 53 theservers and the second biometric computer system execute the select stepof the subset protocol (described above in connection with FIG. 3 ) toselect a subset of the encrypted shards that corresponds to P^(I). Atthis point, each server then possesses shares of points of P^(I), andshares of E_(T). In process 54, each of the servers recalls, frommemory, the MPC parameters that were precomputed from U in the offlinephase (processes 44 and 45 in FIG. 4 ) of MPC. In process 55, theservers compute ƒ(E_(T), P^(I)) jointly with the second biometriccomputer system without learning anything about E_(T) and P^(I). In oneembodiment, function ‘f’ is a biometric match function. If the finaloutput is 1, then U^(I)=U. Otherwise, U^(I)≠U. In process 56, each ofthe servers is programmed to accept or reject individually. Anauthentication in process 58 is successful if and only if all serversaccept in process 56. Otherwise, authentication of the subject U^(I) isrejected in process 57.

This authentication process has potential for usage in multiple areas.One skilled in the art will be able to recognize that this technologycan be used for many applications, including authentication. Applicableindustries include financial & banking, government & defense, healthcare& medical, retail, consumer authentication, enterprise, identity, andmany others.

Moreover, although the above embodiment reveals a yes/no result forauthentication, other embodiments include key derivation by e.g.,sharding the key across the plurality of servers, and then (uponsuccessful authentication), each server sends its shard to U^(I).Therefore, upon successful authentication, U^(I) can reconstruct asecret key to be used for further cryptographic operations.

Additional examples of authentication uses of some embodiments of thepresent invention include: Authenticating a user to a server (e.g.,deriving SSH keys, client SSL certificates and keys, Enterprise 802.11certificates and keys, OAUTH tokens, one-time-passwords, etc.).

Note that these can also be chained (e.g., OAUTH tokens can be used toobtain subsequent certificates/keys).

Additionally, some embodiments of the present invention may be used forauthentication to the authentication servers themselves. For example, anauthenticated user can update his/her authentication data, user details,authorization policies, etc. with each server.

4.0 Example Encoding Scheme and Authentication Algorithm

Now, we can put the above pieces together in an example embodiment thatprovides fingerprint authentication and achieves the security benefitsdescribed in Section 2. In this example embodiment, we will usefingerprint biometric data that will be encoded as described below andleverage the SPDZ multiparty computation protocol for the comparisonphase. This example embodiment is discussed below.

4.1 Fingerprint Biometrics and Representations

Fingerprints are a common biometric modality that are widely deployedcommercially today. Many fingerprint recognition algorithms useextracted minutiae (locations where fingerprint ridges split or end)locations and angles to represent a fingerprint. Comparison of twofingerprints then requires determining how close sets of minutiae are toeach other. One method to do this matching is with the “Minutia CylinderCode” (MCC). This method maps the space of minutia around a point into athree-dimensional quantized data structure (x-coordinate, y-coordinate,θ-angle).

The presence of a minutia at a specific location with a specific angleassigns the associated point in the data structure to one. Absencecorresponds to zero. To compare to fingerprints, one takes the dotproduct of the two minutia cylinder codes and determines if that dotproduct is greater than a threshold T:

E _(T) ·E _(T) I>T

where E_(T) is the MCC encoding of template T, and E_(T)I is the MCCencoding of template T^(I).

If we choose an entropic subset P′⊂T′ (we sometimes refer to an“entropic subset” herein as a “confident subset”) as the set of minutiawith highest confidence and highest distinguishing power (cf. Section 2)then we can similarly encode P^(I) as a MCC, and represent the matchingfunction ƒ as the same dot product.

If we represent the MCC from P^(I) entirely as 1's and 0's, then we cansee that a dot product of E_(T) with the encoding of P^(I) simply as thesum of a subset of E_(T). The subset operation is executed using theprotocol in Section 3 and the sum/threshold operation is performed usingMPC (described below).

Before continuing, note that the above MCC representation can beenhanced by using one or more of the following methods.

Using minutia features (e.g., minutia type, minutia neighborhoods, ridgedescriptors) to more accurately describe the minutiae.

Using non-binary encodings to more smoothly handle noise by encoding a“score” for each minutia. Specifically locations close to the minutiaare high score, and farther away are lower scores.

Using alignment free or globally aligned representations of thefingerprint, depending on the usage model and sensor parameters.

Using non-minutia features (e.g., ridge descriptors) instead of or inaddition to minutia features.

Finally, note of course that other biometrics may also be used asinputs, and that multiple biometrics may be combined in a singleenrollment or authentication.

We may represent the “norm” in the vector space in a number of formsincluding Hamming distance, Hamming distance of subsets, l_p distance(for any p), l_p distance of subsets, cosine similarity, etc. In oneembodiment, we embed the notion of similarity between two vectors as adot product between those two vectors.

4.2 SPDZ Multiparty Computation Overview

Recall the discussion of multiparty computation (MPC) from Section 2.The MPC component of our authentication protocol is responsible forperforming the comparison algorithm. Specifically, as described above,one simple method of doing this is to compute a thresholded subset-sum.That is, given a set of values x_(i) that are sharded across n servers,we want to compute:

${\sum\limits_{i}ϰ_{i}} > T$

for some threshold T.

SPDZ is a protocol that performs computations on sharded data (asdiscussed in Section 2). It has all of the security requirements werequire. Therefore, as discussed in Section 3, we can use the subsetprotocol to select the appropriate shards as input to the MPC protocol,and then the SPDZ protocol to compute the sum and threshold.

The threshold operation in our computation is an integer comparison,which is incredibly expensive in SPDZ (requiring a setup phase thattakes several seconds of computation and communicates >50 MB of data percomparison). This cost would immediately render the protocolimpractical.

However, we have identified a method to avoid the majority of this costby leveraging the enrollment step. During enrollment, the original userU is by definition trusted by all of the servers. Therefore, U cangenerate all of the offline phase data on behalf of all of the servers,a process which (for technical reasons) removes the associatedcomputation and communication complexity.

In embodiments using different MPC approaches (e.g., variants of SPDZ,etc.), these pre-generated data may vary. [See, e.g., Damgård, I.,Keller, M., Larraia, E., Pastro, V., Scholl, P., and Smart, N. P.Practical covertly secure mpc for dishonest majority—or: breaking theSPDZ limits. In European Symposium on Research in Computer Security(2013), Springer, pp. 1-18.] They may further vary depending on theactual function being computed by the MPC protocol.

Therefore, we can run the SPDZ online protocol efficiently (withnegligible computation cost and small quantities of data exchangedbetween servers).

5.0 Exemplary Embodiment Summary

In one embodiment, the final overall flow is the combination of theenrollment flow (depicted in FIG. 4 ) and the authentication flow(depicted in FIG. 6 ), discussed below.

An individual, who is user U, scans her biometric data and, via what weshall call a “first biometric computer,” generates an encoding of theindividual's biometric data. The encoding is used by the first biometriccomputer to generate shards of her biometric data as well as additionalinformation that aids in the execution of the MPC protocol, but is notrelated to the U's biometric data. The shards and other data aredistributed to the servers for use during the online authenticationphase.

In the course of a later authentication process, a subject, who is userto be authenticated (and purporting to be the individual) scans herbiometric data and, via what we shall call a “second biometric computersystem,” generates these biometric data and associated encoded template.Once this has occurred, U^(I) generates shards of her biometric data anddistributes them to the servers.

Finally, the servers independently run the online MPC protocol (e.g.,SPDZ, FSS) using the offline data generated at enrollment to compute thebiometric match function. At this point, each server has independently ashard of the output O, which are returned to U^(I) who determines if theauthentication was successful.

In another embodiment, the final overall flow is the combination of theenrollment flow (depicted in FIG. 4 ) and the authentication flow(depicted in FIG. 5 ).

An individual, who is user U, scans her biometric data and, via what weshall call a “first biometric computer,” generates an encoding of theindividual's biometric data. The encoding is used by the first biometriccomputer to generate encrypted shards of her biometric data as well asadditional information that aids in the execution of the MPC protocol,but is not related to the U's biometric data. The encrypted shards andother data are distributed to the servers for use during the onlineauthentication phase.

In the course of a later authentication process, a subject, who is userU^(I), to be authenticated (and purporting to be the individual) scansher biometric data and, via what we shall call a “second biometriccomputer system,” generates a confident subset of these biometric dataand associated encoded template. Once this has occurred, U^(I) andservers run the subset selection protocol, by which each server isprovided a distinct set of decrypted shards of the encoded template, butis not provided with information by which such server could by itselfdetermine the location of the decrypted shards.

Finally, the servers independently run the online MPC protocol (e.g.,SPDZ) using the offline data generated at enrollment to compute thebiometric match function. At this point, each server has independentlydetermined the biometric match. U′ is considered to be authenticated ifall servers accept. Otherwise, U′ is not authenticated.

Embodiments of the present invention are more efficient than previousmultiparty computation approaches. For example, by (1) treating theenrolling user as a universally trusted individual among a set ofmutually distrusting servers, and (2) using our secure subset selectionalgorithm, we are able to remove the expensive offline phase ofinteractive MPC protocols (such as computing multiplication triplets,etc.). By simplifying the authentication protocol to be a dot product,we reduce the number of rounds during the online phase to an acceptablenumber (for example, −5 rounds, which can depend on precision).

In one embodiment, one or more servers enforce rate limiting or accountlock-out if a condition is met. One skilled in the art would be familiarwith such conditions. They may include, for example: too many incorrectauthentications attempted, authentication attempts originating fromcertain locations, authentication attempts at certain times (e.g., timeof day or date that indicates higher risk or uncharacteristic behaviorfor user), authentication attempts with varied identity assurancerequirements, authentication attempts with factors that denote a certainrisk level, etc. In one embodiment, after the condition is met, asecurity process is implemented. The security process may include, forexample, preventing further authentication attempts for a period oftime; notifying a user, server, or organization of suspicious behavior;and/or increasing the requirements for subsequent authentication, etc.

6.0 Additional Exemplary Embodiments

In another exemplary embodiment, the user may present multiple biometricmodalities which are combined to form a single encoded template and/orconfident subset.

In another embodiment, the user may present multiple biometricmodalities, each of which is encoded and authenticated as describedherein. Each generates a separate output value O. These output valuesare combined to determine whether the subject is authenticated as theindividual.

In another embodiment, these output values combine to form a secret key.

In another embodiment, the same biometric shards may be enrolled at two(or more) separate thresholds by having U perform the offline phase forcomputing ƒ (E_(T), P^(I)) at two (or more) thresholds and sending eachof these sets along with her shards. During authentication, the desiredthreshold is selected, and the associated auxiliary data for computing ƒ(E_(T), P^(I)) at the desired threshold are recalled and used in theauthentication protocol. In one embodiment, authenticating at a lowerthreshold, which may have an easier user experience and lower FalseReject Rate (FRR) but higher False Accept Rate (FAR), the subject isable to access lower risk functionality, such as viewing her accountbalance on a mobile banking app on her phone. In order for her to accesscertain functionality or authorize a higher risk transaction such as ahigh value transaction, she is required to authenticate at the higherthreshold. In some embodiments, authenticating at the higher levelrequires additional factors, biometrics, or inputs.

In another embodiment, the shards and auxiliary data are encrypted atrest by one or more of the servers. This enables tiering the security.

In another exemplary embodiment, during the enrollment phase, anindividual scans his/her fingerprints and enters his/her pin code on adevice.

A first biometric computer system trusted by the individual determinesthe confident subset of the biometric input data. The first biometriccomputer system characterizes the confident subset into an ordered listor matrix of locations and unique biometric elements or e.g., minutiae.Every element is sharded by the first biometric computer system into nshards, where n is greater than 1. No shard characterizes even part ofthe biometric. In some embodiments, if an adversary obtained all but oneof the n shards, the adversary still would not be able to recover anybiometric information—all n shards would be needed. In anotherembodiment, a threshold number of shards is sufficient to recoverbiometric information.

In some embodiments, in order to obscure the location information, thefirst biometric computer system applies an ordering scheme. In someembodiments, the ordering scheme is based in part on the authenticationinputs, such as the pin or fingerprints. In one embodiment, the sets ofshards sent to servers each have the same ordering scheme applied. Thefirst biometric computer system generates n sets of shards. The firstbiometric computer system also generates n unique and correspondingnoise data sets to be used during the authentication phase.

In one embodiment, n is 2. The first set of shards is encrypted usingkey A. The second set of shards is encrypted using key B. The firstbiometric computer system sends to Server 1 a data collection thatincludes (a) the set of shards encrypted using key A, (b) key B, and (c)a noise data set. Similarly, the first biometric computer system sendsto Server 2 a distinct data collection that includes (a) the set ofshards encrypted using key B, (b) key A, and (c) a noise data set. Itshould be pointed out that Server 1 holds the key B that is used toencrypt the shards held by Server 2 and Server 2 holds the key A that isused to encrypt the shards held by Server 1, so that neither server iscapable of decrypting the shards it holds using the key it holds. Thisis one example of the novel method of distributing shards and keys todifferent servers.

In one embodiment, the information sent by the processor isauthenticated and/or signed. In the authentication phase, a subjectpurporting to be the individual scans his fingerprints and enters hispin code on a second device. A second biometric computer system coupledto the second device determines a confident subset of the biometricinput data. In one embodiment, the second biometric computer systemapplies the ordering scheme to the confident subset. (In anotherembodiment, the second biometric computer system applies a reverse ofthe ordering scheme to the encrypted sets of shards instead.)

Server 1 sends the set of shards encrypted using key A to the secondbiometric computer system. Server 2 sends the set of shards encryptedusing key B to the second biometric computer system. In one embodiment,the information sent by the server is authenticated. The information maybe sent over a secure channel.

Using the confident subset, the second biometric computer system selectsa new subset of each of the encrypted sets of shards.

In one embodiment, an ordering scheme (which may or may not be the sameordering scheme used previously) is applied to the new subsets. Inanother embodiment, locations are not included in the new subset. Thesecond biometric computer system sends the new subset of shards that isencrypted using key A to Server 2. The second biometric computer systemsends the new subset of shards that is encrypted using key B to Server1.

In one embodiment, the information sent by the second biometric computersystem is authenticated and/or signed. Server 1 uses key B to unencryptthe new subset of shards that is encrypted using key B. Server 2 useskey A to unencrypt the new subset of shards that is encrypted using keyA. Now both servers have an unencrypted set of shards of the confidentsubset of biometrics from the subject purporting to be the individual.However, since location information is not included or not known, thecompromise of even the unencrypted shards does not compromise thebiometric information.

In one embodiment, Server 1 and Server 2 communicate with each otherwithout sharing the unencrypted shards. The noise data sets are used tomake this secure communication more efficient, including by increasingefficiency, requiring fewer computations, and by requiring less data tobe exchanged between Server 1 and Server 2. This novel method enablessecure communication among 2 or more servers in a very efficient way,leveraging auxiliary data (for example a noise data set) provided at thetime of enrollment by a trusted party, which in some embodiments is theenrolling person or processor.

Once the computation is completed, Server 1 and Server 2 are able todetermine (or have already determined) whether the subject isauthenticated as the individual or not. In one embodiment, thisdetermination is based on the combination of the shards revealing if thesubject's confident subset was able to select sufficient uniquebiometric minutiae from the subject's data set, without the need fornon-transient storage of the subject's data set. What is “sufficient”may depend on a threshold that can be adjusted, for example to reducefalse reject rate (FRR) or false accept rate (FAR).

REFERENCES

-   1. Beaver, D. Efficient multiparty protocols using circuit    randomization. In Annual International Cryptology Conference (1991),    Springer, pp. 420-432.-   2. Ignatenko, T., and Willems, F. M. Information leakage in fuzzy    commitment schemes. IEEE Transactions on Information Forensics and    Security 5, 2 (2010), 337-348.-   4. Micali, S., and Rogaway, P. Secure computation. In Annual    International Cryptology Conference (1991), Springer, pp. 392-404.-   5. Shamir, A. How to share a secret. Communications of the ACM 22,    11 (1979), 612-613.-   6. Stoianov, A., Kevenaar, T., and Van der Veen, M. Security issues    of biometric encryption. In Proceedings of Toronto International    Conference on Science and Technology for Humanity (2009), pp. 34-39.-   7. Uludag, U., Pankanti, S., and Jain, A. K. Fuzzy vault for    fingerprints. In International Conference on Audio- and Video-Based    Biometric Person Authentication (2005), Springer, pp. 310-319.-   8. Yao, A. C.-C. Protocols for secure computations. In FOCS (1982),    vol. 82, pp. 160-164.

The embodiments of the invention described above are intended to bemerely exemplary; numerous variations and modifications will be apparentto those skilled in the art. All such variations and modifications areintended to be within the scope of the present invention as defined inany appended claims.

What is claimed is:
 1. A system for using biometric data to authenticatea subject as an individual whose biometric data has been previouslyobtained using a first transducer coupled to a first computing facility,the system having computing components comprising: a second transducerhaving a digital electronic signal output that characterizes a biometricof the subject; a second computing facility, coupled to the secondtransducer, configured to receive from the second transducer the digitalelectronic signal; and an array of servers; the second computingfacility, the array of servers, and a computer-readable medium encodedwith instructions, which upon execution by the foregoing computingcomponents, establish computer processes comprising: causing, by thesecond computing facility, generating of shards from the digitalelectronic signal and distributing of the generated shards to the arrayof servers; causing, by a subset of the array of servers, storing of thegenerated shards and performing of a data exchange process using asubset of the generated shards to develop information relating toauthentication of the subject, and causing, by the subset of the arrayof servers, processing of the authentication information in averification process to indicate whether the subject is authenticated asthe individual.
 2. A system according to claim 1, wherein the computerprocesses further comprise causing generation of a key of the subjectusing the authentication information.
 3. A system according to claim 2,wherein causing the processing of the authentication informationincludes causing development of a signed message using the key andcausing the signed message to be used in the verification process.
 4. Asystem according to claim 1, wherein the computer processes furthercomprise causing a third computing facility to perform the verificationprocess.
 5. A system according to claim 4, wherein the third computingfacility is the same as the second computing facility.
 6. A systemaccording to claim 1, wherein the computer processes comprise causingthe second computing facility to perform the verification process.
 7. Asystem according to claim 1, wherein the computer processes comprisecausing generation of a signed message using the authenticationinformation.
 8. A system according to claim 1, wherein the computerprocesses further comprise receiving, by a third computing facility, theinformation relating to authentication of the subject.
 9. A systemaccording to claim 1, wherein the computer processes further comprise,receiving, by the second computing facility, the information relating toauthentication of the subject.
 10. A system for using biometric data toauthenticate a subject as an individual whose biometric data has beenpreviously obtained using a first transducer coupled to a firstcomputing facility, the system having computing components comprising: asecond transducer having a digital electronic signal output thatcharacterizes a biometric of the subject; a second computing facility,coupled to the second transducer, configured to receive from the secondtransducer the digital electronic signal; and an array of servers; thesecond computing facility, the array of servers, and a computer-readablemedium encoded with instructions, which upon execution by the foregoingcomputing components, establish computer processes comprising: causing,by the second computing facility, generating of shards from the digitalelectronic signal and distributing of the generated shards to the arrayof servers; receiving and storing by the array of servers the generatedshards; performing, by a subset of the array of servers, a data exchangeprocess using a subset of the generated shards to develop informationrelating to authentication of the subject; and causing the subset of thearray of servers to transmit the information developed, wherein thedeveloped information is configured to cause generation of an outputvalue indicating whether the subject is authenticated as the individual.11. A system according to claim 10, wherein the computer processes areperformed under conditions wherein the computing components areconfigured as information-sharing restricted with respect to a set ofitems of information selected from the group consisting of the outputvalue, the digital electronic signal, the individual's biometric data,the subject's biometric, and the generated shards.
 12. A systemaccording to claim 10, wherein causing by the second computing facilityfurther includes causing encoding of the digital electronic signal, sothat the generated shards are also encoded.
 13. A system according toclaim 12, wherein causing encoding includes causing use of a neural netto achieve encoding.
 14. A system according to claim 12, wherein causingencoding includes causing representation of the digital electronicsignal as a set of vectors in a metric space.
 15. A system according toclaim 14, wherein performing the data exchange process, using the subsetof the generated shards to develop information relating toauthentication of the subject, includes computing a set of distances inthe metric space.
 16. A system according to claim 10, wherein the dataexchange process includes a multiparty computation wherein none of theservers in the server array obtains intermediate values of themultiparty computation.
 17. A system according to claim 10, wherein aselected group of the array of servers causes generation of new shardsbased on the generated shards.
 18. A system according to claim 10,wherein, a share is revocable by a revocation process that includes thedata exchange process.
 19. A system according to claim 18, wherein, uponrevocation of the shard, generation of a new shard does not require theindividual re-engage with the first transducer.
 20. A system accordingto claim 18, wherein the revocation process does not requirecommunication between the computing facility and the array of servers.21. A system according to claim 18, wherein the revocation processincludes performing the data exchange process using a subset of thesubset of generated shards from a subset of the array of servers.
 22. Asystem according to claim 10, wherein the data exchange process involvescommunication among a selected group of servers from the array ofservers.
 23. A system according to claim 10, wherein performing the dataexchange process includes separately processing, by each server, itsgenerated shards of the individual along with its generated shards ofthe subject to generate a new set of shards, the new set of shardsconstituting the output value.
 24. A system according to claim 10,wherein receiving and storing by the array of servers the generatedshards includes receiving and storing message authentication codes forthe shards and the data exchange process includes using the messageauthentication codes to confirm that the output value indicating whetherthe subject is authenticated as the individual is itself authentic. 25.A system according to claim 10, wherein receiving and storing by thearray of servers the generated shards includes receiving and storingshards of Beaver triples distributed across the array of servers withthe generated shards.
 26. A system according to claim 25, whereinreceiving and storing by the array of servers the generated shardsincludes receiving and storing message authentication codes for theBeaver triples.
 27. A system according to claim 10, wherein receivingand storing by the array of servers the generated shards includesreceiving and storing shards of a corresponding message authenticationcode key.
 28. A system according to claim 10, wherein receiving andstoring by the array of servers the generated shards includes receivingand storing shards of a random value.
 29. A system according to claim10, wherein receiving and storing by the array of servers the generatedshards includes receiving and storing shards of a function thatcontributes to an authentication process.
 30. A system according toclaim 10, wherein receiving and storing by the array of servers thegenerated shards includes extracting a confident subset of a set ofbiometric values of the subject in the digital electronic signal.
 31. Asystem according to claim 10, wherein receiving and storing by the arrayof servers a set of values to enable efficient subsequent generation ofshards includes receiving and storing items selected from the groupconsisting of Beaver triples, authentication shares, messageauthentication code shards, random shards, other shards, andcombinations thereof.
 32. A system according to claim 10, wherein thedata exchange process includes causing the array of servers to execute amultiparty computation algorithm to determine a blinded value, causingthe array of servers to compute a corresponding shard, and to return, tothe second computing facility, the computed shard along with values forthe message authentication codes previously computed, causing the secondcomputing facility to use the shard data to determine whether thesubject is authenticated as the individual and to evaluate the messageauthentication codes.
 33. A system for securely enrolling biometric dataof an individual for purposes of later authentication of a subject asthe individual, the system having computing components comprising: afirst transducer having a digital electronic signal output thatcharacterizes a biometric of the individual; a first computing facility,coupled to the first transducer, configured to receive from the firsttransducer, the digital electronic signal; an array of servers; and asecond computing facility; the first computing facility, the array ofservers, the second computing facility, and a computer-readable mediumencoded with instructions, which upon execution by the foregoingcomputing components, establish computer processes comprising: causinggenerating of original shards from the digital electronic signal;distributing, across the array of servers, the generated originalshards; and causing the array of servers to store the generated originalshards; the generated original shards being stored under conditionswherein the generated original shards are revocable.
 34. A systemaccording to claim 33, wherein the first computing facility, the arrayof servers, and the second computing facility are configured toimplement computer processes further comprising: causing generating ofnew shards based on the original shards.
 35. A system according to claim34, wherein generating new shards does not require communication betweenthe first computing facility and the array of servers.
 36. A systemaccording to claim 33, wherein, in the computer processes implemented bythe first computing facility, the array of servers, and the secondcomputing facility, distributing, across the array of servers, thegenerated original shards further includes: distributing the generatedoriginal shards across the array of servers along with helperinformation selected from the group consisting of Beaver triples,function secret shares, and combinations thereof, such helperinformation being available for use in later authentication of thesubject; and causing the array of servers to store the helperinformation in association with the generated original shards.
 37. Asystem for securely enrolling biometric data of an individual forpurposes of later authentication of a subject as the individual, thesystem having computing components comprising: a first transducer havinga digital electronic signal output that characterizes a biometric of theindividual; a first computing facility, coupled to the first transducer,configured to receive from the first transducer, the digital electronicsignal; an array of servers; and a second computing facility; the firstcomputing facility, the array of servers, the second computing facility,and a computer-readable medium encoded with instructions, which uponexecution by the foregoing computing components, establish computerprocesses comprising: causing generating of original shards from thedigital electronic signal; distributing, across the array of servers,the generated original shards; causing the array of servers to store thegenerated original shards; and causing generating of new shards based onthe original shards.
 38. A system according to claim 37, whereingenerating new shards does not require communication between the firstcomputing facility and the array of servers.